The newer version of Apache::Session has 32 byte session id strings. I don't know if these are randomly generated or if the algorithm takes care of verifying that they're not repeated, but given the number of bits involved I would say that the chance of it generating the same key twice (for a human population) is smaller than 1/(number of hydrogen atoms in the universe). :-)